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Description 

BACKGROUND OF THE INVENTION 

5 [0001] The present invention relates to an information processing equipment, and more particularly to an information 
processing apparatus suitable for a tamper resistance device such as an IC card providing high security. 
[0002] An IC card is mainly used for storing information in a manner so as not to be altered by a third party or for 
enciphering data or deciphering a cipher text by using a cipher key which is kept in secret. Since the IC card is not 
provided with a power source, it becomes operable only when it is inserted into a reader-writer. The IC card receives 

10 a command from the reader-writer to execute data transfer. 

[0003] As shown in Fig. 1 , an IC card has the structure that an IC card chip 1 02 is fabricated on a card 1 01 . A general 
IC card has contacts via which a power is supplied from a reader-writer and data is transferred. 
[0004] The structure of an IC card chip is basically the same as that of a microcomputer. As shown in Fig. 2, the IC 
card chip includes a centra! processor 201 , a storage memory 204, an input/output port 207, and a co-processor 202. 

15 The central processor 201 executes logical and arithmetic calculations, and the storage memory 204 stores programs 
and data. The input/output port 207 communicates with a reader-writer. The co-processor 202 is a special calculation 
device for executing modular calculations, and is used for calculations in anti-symmetric RSA or the like. Many of IC 
card processors have no co-processor. A data bus 203 interconnects components of the IC card. 
[0005] The storage memory 204 includes a ROM (Read Only Memory), a RAM (Random Access Memory), an EEP- 

20 ROM (Electrically Erasable Programmable Read Only Memory) and the like. ROM is a memory device whose contents 
cannot be rewritten freely, and is mainly used for storing programs. RAM is a memory whose contents can be rewritten 
freely and are erased if a power supply is intercepted. When the IC card is disconnected from the reader-writer, a 
supply of the power is intercepted so that the contents of RAM cannot be retained. EEPROM is a memory whose 
contents can be retained even if a power supply is intercepted. Therefore, EEPROM is used for storing data which 

25 may be rewritten and can be retained even if the IC card is disconnected from the reader-writer. For example, the 
number of prepaid times of a prepaid card is stored in EEPROM because it is updated each time the card is used and 
the contents thereof are required to be retained even if the card is disconnected from the reader-writer. 
[0006] An IC card is used for storing programs and important information in the IC card chip to execute a cipher 
process. It has been long considered that the difficulty in decryption of a cipher process executed in the IC card is the 

30 same as that in decryption of a ciphering algorithm. However, it has been suggested recently that there is a possibility 
of presuming the contents of a cipher process and a cipher key by measuring and analyzing a consumption current 
while the cipher process is executed, easier than decryption of a cipher algorithm. The consumption current can be 
monitored by measuring the current supplied from the reader-write. This possible danger is described in "Smart Card 
Handbook", by W. Rankl & W. Effing, John Willey & Sons, paragraph 8.5.1 .1 "Passive protective mechanism", at p. 263. 

35 

SUMMARY OF THE INVENTION 

[0007] CMOSs constituting an IC card chip consume current when an output state changes from "1" to "0" or vice 
versa. The data bus 203 in particular flows a large current when its state changes from "1 " to "0" or vice versa, because 
40 the data bus has a large electrical capacitance. This suggests a possibility of presuming the operation state in the IC 
card chip by monitoring the consumption current. 

[0008] Fig. 3 shows wave shapes of consumption current during one cycle operation of an IC card chip. Depending 
upon processed data, the current wave shape becomes different as indicated at 301 and 302. This difference is gen- 
erated depending upon data on the bus 203 and data being processed by the central processor 201. 

45 [0009] Consider now the data transfer on a pre-charge bus of 16 bits. The pre-charge bus is reset prior to data 
transfer so that all bits on the bus have a value "0". If the data having the same number of "1" bits and different values, 
e.g., data of hexadecimal "88" and "11" both having two "1" bits, is transferred to this bus, the current wave shapes 
are generally the same. This is because the numbers of bits changing from "0" to "1" are the same and the same 
current is consumed to have similar current wave shapes. If the data having a difference of one "1" bit, e.g., data of 

50 hexadecimal "89" and "19" both having three "1" bits, is transferred to this bus, the current wave shape becomes 
different from that of the data having two "1" bits. This is because the number of bits changing from "0" to "1" changes 
to three bits and a corresponding current is consumed increasingly. Therefore, as compared to the data having two 
"1 " bits, the consumption current increases in amount corresponding to one bit. There is a regularity that the larger the 
number of "1" bits, the larger the amplitude of the current wave shape becomes. From this regularity, the transferred 

55 data can be presumed. 

[0010] The current wave shapes shown in Fig. 3 indicate the total sum of current flowing not only through the bus 
but also through other components constituting the IC card chip. A microcomputer such as an IC card chip includes a 
phase during which data is transferred mainly to the bus, a phase during which a CPU operates mainly, a phase during 
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which data is written in a register, and other phases. If the phases are taken into account, it is possible to know by 
which component a difference between consumption currents was mainly produced, and the data process at the com- 
ponent can be presumed. 

[0011] A difference between consumption currents will be described by using as an example the following left shift 
5 instruction. 

shiftl R1 (1) 

w [0012] This instruction shifts the contents of the register R1 to the left, i.e., shifts the bit train in the register to the 
left, and the value of the most significant bit is entered in a condition code register as a carry. Since the most significant 
bit in the register R1 is transferred via the data bus to the condition cord register, whether the most significant bit is "0" 
or "1" can be possibly discriminated by comparing the amplitudes of current wave shapes. If important data is stored 
in the register R1, there is a possibility of discriminating whether this data is "0" or "1" although the data is only one 

15 bit. The cryptographic process, particularly DES, frequently uses an operation of shifting a cipher key. During this shift 
operation, the current wave shape allowing to presume the data of the cipher key is generated so that there is a 
possibility that the cipher key is presumed. 

[0013] The above-described case is also applied to the operation of the co-processor 202. If the operation contents 
include any unbalance dependent upon a cipher key, this. shift can be presumed from the consumption current, and 

20 there is a possibility that the cipher key is presumed. 

[0014] An issue associated with the present invention is to reduce the relation between the data process in an IC 
card chip and its consumption current If the relation between the data process in an IC card chip and its consumption 
current can be reduced, it becomes difficult to presume the data process in the IC card chip and the cipher key, from 
the observed consumption current shapes. The feature of this invention is to make difficult to presume the data process 

25 and the cipher key from the consumption current wave shape, by processing the data in the IC card chip after it is 
transformed. 

[0015] These objects are, according to the invention, seived by the features of claims 1, 2, 3, 4 and 13. 

[0016] The tamper resistance device, typically an IC card chip, is considered as an information processing equipment 

which comprises: a storage memory including a program storage unit for storing a program and a data storage unit for 

30 storing data; and a central processing unit for executing a data process in accordance with the program, the program 
including one or more data process means each being a process instruction for giving an execution instruction to the 
central processing unit. According to the invention, as the method of reducing the relation between the data process 
in an IC card chip and its consumption current, data is first transformed by using disturbance data and then processed. 
After this process, the data is untransformed by using the disturbance data to obtain a correct process result. The 

35 disturbance data to be used after the data process may be the same disturbance data used for the data process, if 
necessary. The disturbance data is changed randomly at each data process. With these processes, during each data 
process, transformed data can be used without using the original data. It becomes therefore difficult to presume the 
data from current wave shapes. 

[0017] Specifically, disturbance data Xi is first generated and the data D1 is transformed by using the disturbance 
40 data Xi to generate transformed data H1 . The transforming method may be exclusive logical OR, addition, multiplication 
or the like. During the data process, the transformed data H1 is processed to generate processed and transformed 
data H2. Since the transformed data H1 is used instead of original data H1, it is difficult to presume the data D1 from 
the current wave shapes during the process of the transformed data •HI. Since the transformed data is generated by 
using different disturbance data Xi at each process, the transformed data generated at each process is different. There- 
45 fore, the current wave shape during the process of the transformed data H1 becomes different at each process. Pre- 
suming the transformed data H1 from current wave shapes is therefore meaningless. 

[001 8] If it is necessary for the disturbance data Xi to be processed in a manner similar to the data D1 , the disturbance 
data Xi is processed to generate processed disturbance data. The processed and transformed data H1 is processed 
by using the processed disturbance data Xo to generate the processed data D2 which is a result of the input data 

50 process for the input data D1 . 

[0019] If it is necessary to use different data transformation methods, it may be required to connect several data 
transformations. In such a case, a combination of a data transforming process, a transformed data process, a distur- 
bance data process, and a data untransforming process is used and these several data transformations are connected 
so as not to process original data. 

55 [0020] According to this invention, it is possible to conceal the information that may be gotten in the permutation 
process and substitution process for replacing data and in the access process to data tables, during execution of an 
encryption algorithm. The transformation process that ensures to get the correct data is one of effective methods to 
be used for data encryption and decryption. In this transformation process, the exclusive logical OR is used to transform 
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data in a data exchanging process, and the transformed data and disturbance data are processed by the same method 
in the data process. 

[0021] A typical structure of the invention is as follows. An information processing equipment comprising: a storage 
memory including a program storage unit for storing a program and a data storage unit for storing data; a central 

s processing unit for executing a data process in accordance with the program, the program including one or more data 
process means each being a process instruction for giving an execution instruction to the central processing unit; and 
input data processing means wherein one data processing means processes input data and outputs the processed 
data, comprises: data transforming process means for transforming input data D1 by using disturbance data Xi to 
generate transformed data H1; transformed data processing means for executing an operation process OP1 for the 

10 transformed data H1 in place of the operation process OP1 for the input data D1 to be executed by the input data 
processing means, to generate processed and transformed data H2; disturbance data processing means for executing 
the operation process OP1 for the disturbance data Xi to generate processed disturbance data Xo; and data untrans- 
forming processing means for executing an operation process QP2 for the processed and transformed data H2 by 
using the processed disturbance data Xo, to generate processed, data D2 which is a result of the operation process 

15 OP1 for the input data D1 . 

[0022] The operation process OP1 corresponds, for example, to the process of an embodiment illustrated in Fig. 4 
to be described later. The operation process OPV corresponds, for example, to the process for disturbance data 2 
(510 to 513, and 516 to 520). 



20 BRIEF DESCRIPTION OF THE DRAWINGS 



[0023] Fig. 1 is a diagram showing an example of the structure of hardware of a known IC card. 

[0024] Fig. 2 is a diagram showing an example of the structure of hardware of a known IC card chip. 

[0025] Fig. 3 is a diagram showing examples of wave shapes of consumption current of an IC card. 

[0026] Fig. 4 is a diagram illustrating a procedure of data transformation using one disturbance data according to an 

embodiment of the invention. 

[0027] Fig. 5 is a diagram illustrating a procedure of data transformation using two sets of disturbance data in a 
nesting state, according to an embodiment of the invention. 

[0028] Fig. 6 is a diagram illustrating a procedure of data transformation using two sets of disturbance data in a 
continuous state, according to an embodiment of the invention. 

[0029] Fig. 7 is a diagram illustrating a procedure of data transformation wherein disturbance data is processed in 
advance, according to an embodiment of the invention. 

[0030] Fig. 8 is a diagram illustrating a procedure of data transformation wherein the untransforming processes for 
the two sets of disturbance data are unified, according to an embodiment of the invention. 

[0031] Fig. 9 is a diagram illustrating the overall process flow of DES, according to an embodiment of the invention. 
[0032] Fig. 10 is a diagram illustrating the f function process of DES, according to an embodiment of the invention. 
[0033] Fig. 11 is a diagram illustrating a transforming process 1, according to an embodiment of the invention. 
[0034] Fig. 12 is a diagram illustrating an IP process, according to an embodiment of the invention. 
'[0035] Fig. 13 is a diagram illustrating a PC-1 process, according to an embodiment of the invention. 
[0036] Fig. 14 is a diagram illustrating a PC-2 process, according to an embodiment of the invention. 
[0037] Fig. 15 is a diagram illustrating an LS process, according to an embodiment of the invention. 
[0038] Fig. 16 is a diagram illustrating a selectable permutation E process, according to an embodiment of the in- 
vention. 

[0039] Fig. 17 is a diagram illustrating an XOR process between a result of the selectable permutation E process 
and a cipher key, according to an embodiment of the invention. 

[0040] Fig. 18 is a diagram illustrating an S box process, according to an embodiment of the invention. 
[0041] Fig. 19 is a diagram illustrating a permutation P process, according to an embodiment of the invention. 
[0042] Fig. 20 is a diagram illustrating an XOR process between a result of the permutation P process and a result 
at the preceding stage. 

[0043] Fig. 21 is a diagram illustrating an IP-1 process, according to an embodiment of the invention. 
[0044] Fig. 22 is a diagram illustrating an untransforming process, according to an embodiment of the invention. 
[0045] Fig. 23 is a diagram illustrating a process of forming a transformed S box table, according to an embodiment 
of the invention. 

[0046] Fig. 24 is a diagram illustrating an i-th transformed S box table forming routine, according to an embodiment 
of the invention. 

[0047] Fig. 25 is an i-th S box table, according to an embodiment of the invention. 

[0048] Fig. 26 is a table having transformed data of the i-th S box table of the embodiment. 

[0049] Fig. 27 is a table having transformed positions of the i-th S box table of the embodiment. 
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[0050] Fig. 28 is a selectable permutation E table, according to an embodiment of the invention. 
[0051] Fig. 29 is a permutation P table, according to an embodiment of the invention. 

[0052] Fig. 30 is a diagram illustrating an encryption process for disturbance data, according to an embodiment of 
the invention. 

[0053] Fig. 31 is a diagram illustrating a transforming calculation process for encryption data for disturbance data, 
according to an embodiment of the invention. 

[0054] Fig. 32 is a diagram illustrating a decryption process for disturbance data, according to an embodiment of the 
invention. 

[0055] Fig. 33 shows an example of an original table according to an embodiment of the invention. 

[0056] Fig. 34 shows a table whose contents are modified from those of the table shown in Fig. 33, according to the 

embodiment of the invention. 

[0057] Fig. 35 shows a table whose arrangement is modified from that of the table shown in Fig. 34, according to 
the embodiment of the invention. 

[0058] Fig. 36 is a diagram illustrating a transforming process b, according to an embodiment of the invention. 

[0059] Fig. 37 is an IP permutation table according to an embodiment of the invention. 

[0060] Fig. 38 is a PC-1 selectable permutation table according to an embodiment of the invention. 

DETAILED DESCRIPTION OF THE EMBODIMENTS 

[0061] Embodiments of the invention will be described with reference to the accompanying drawings. 

[0062] Fig. 1 is a plain view of an IC card. The position of an IC card chip 102 and the number of contacts and their 

operation assignments of the IC card 101 are defined by ISO 7816 specifications. 

[0063] Fig. 2 shows the internal structure of the IC card chip 102. The structure has been described already with 
respect to conventional techniques. According to this invention, data to be processed by the program 205 is disturbed 
so that it becomes difficult to presume original data from the wave form of power consumed by the hardware of the IC 
card chip during data processing. The fundamental concept will be described by taking as an example the following 
simple instruction train: 



xor R1 R2 (3) 

[0064] The equation (2) is an instruction for logically looping the value in a register R1 to the left. The most significant 
bit moves to the least significant bit. The result is loaded in the register R1 . The exclusive logical OR between the result 
and the value in a register R2 is calculated by the equation (2), and this result is loaded in the register R2. These 
operations are performed by this instruction train. Such instructions are frequently used in a cipher algorithm such as 
DES. Since the equations (2) and (3) use the process data itself, the amplitude of the power consumption is changed 
with the contents of the process data. There is therefore a possibility of presuming the data by monitoring the power 
consumption shape. 

[0065] In order for the equations (2) and (3) not to use the process data itself, the instruction train is changed to: 

xor X1 R1 (4) 

xor X2 R2 (5) 

logica_shift1 R1 (6) 

xorR1 R2 (7) 

logica_shift1 X1 (8) 
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where X1 and X2 are arbitrary random numbers and are data for disturbance. With the equations (4) and (5), an 
exclusive logical OR between R1 and X1 and between R2 and X2 is calculated to execute a transforming process for 
transforming original data. Although the equations (6) and (7) are expressed same as the equations (2) and (3), the 
10 values Riband R1 in the equations (6) and (7) are not the values of original data because the transforming process 
was executed. With the equations (8) and (9), the disturbance data itself is processed. With the equation (10), an 
exclusive logical OR between the processed disturbance data and the process result of the equation (7) is calculated 
to execute an untransforming process for recovering the original data. 

[0066] These processes will be specifically described by using particular numerical values. R1 and R2 have the 
15 following values: 

R1:11001010 (11) 

20 R2:01010111 (12) 

[0067] The value of R1 processed by the equation (2) is: 

25 R1:10010101 (13) 

[0068] The process result by the equation (3) is: 

30 R2:11000010 (14) 

[0069] A modification of this invention will be described. First, the disturbance data has the following values, with the 
same values of R1 and R2 being used: 

35 

X1:10010111 (15) 

4Q X2:001 11010 (16) 

[0070] The process result by the equations (4) and (5) are: 
4S R1:01011101 (17) 

R2:01101101 (18) 
50 [0071] The process results by the equations (6) and (7) are: 

R1:10111010 (19) 

55 R2:11010111 (20) 

[0072] The process results of the data X1 and X2 for disturbance by the equations (8) and (9) are: 
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X1:001011 1 1 



X2:00010101 (22) 

[0073] The result of the untransforming process by the equation (10) is the same as the result of the original data 
process indicated by the equation (14): 

R2:1 1000(310 (23) 

[0074] As shown in this example, the transformed original data and the disturbance data are processed in a similar 
manner, and the results are untransformed to recover the original value. Since this data process does not use original 
data itself, it is difficult to presume the original data from the current wave shape, although the transformed data can 
be presumed. 

[0075] The above example using particular numerical values will be expressed by a general format. The actual proc- 
ess is as follows: 

Output(j) = f(lnput(i)) (24) 

[0076] This process means that i inputs are subjected to a process f to output j outputs. In the example shown by 
the equations (2) and (3), there are two inputs R1 and R2 and one output stored in the register R2. In order that it 
becomes difficult to presume original data from the current wave shape during the process of the equation (24), the 
following equations are used: 

InputX(i) = h(lnput(i), X(i)) (25) 
OutputXO) = f(lnputX(i)) (26) 
Xoutput(j) = f(X(i)) (27) 

Output(j) = g(OutputX(i), Xoutput(i)) (28) 

[0077] The equation (25) transforms the input data Input(i) by using disturbance data X(i) to generate the transformed 
input data InputX(i). This transformation operation is represented by h. The equation (26) is a data process for process- 
ing data by using transformed input data. The equation (27) is a disturbance data process for processing the disturbance 
data in a manner similar to the input data. The equation (28) is an untransforming process for reversely processing 
the transformed input data process result OutputXO) and the disturbance data process result Xoutput(j). The untrans- 
forming operation is represented by g. 

[0078] The process by the equation (25) corresponds to the equations (4) and (5) in the above-described example, 
and the transformation operation h corresponds to the exclusive logical OR. The transformed input data process by 
the equation (26) corresponds to the equations (6) and (7). The euqations (8) and (9) show the data processing for 
the disturbance data in the equation (27). The untransforming process by the equation (28) corresponds to the equation 
(10). The transformation operation g corresponds to the exclusive logical OR. 

[0079] Which operations are selected for the transformation operation h and untransformation operation g is deter- 
mined by the characteristics of the data process f. In the process by the equations (2) and (3), the exclusive logical 
OR is the transformation operation h and also the untransformation (inverse) operation g. For a shift operation and an 
XOR operation, by selecting the exclusive logical OR as the transformation operation h, the untransformation (inverse) 
operation g is the exclusive logical OR. This is because, the exclusive logical OR between the same data is logical 0 
and the operation of. the exclusive logical OR is vanished. 

[0080] If the data process f is addition/subtraction, addition or subtraction can be selected as the transformation 
operation h and the corresponding inverse operation g is subtraction or addition. For example, the following operation: 
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Output = lnput(1 ) + lnput(2) - lnput(3) (29) 

can be transformed into: 

5 

lnputX(1) = lnput(1) + X(1) (30) 

1Q lnputX(2) = lnput(2) + X(2) (31) 

lnputX(3) = lnput(3) + X(3) (32) 
15 [0081] By processing the transformed input data, the process result of the transformed input data can be obtained: 
OutputX = lnputX(1 ) + lnputX(2) - lnputX(3) (33) 
20 [0082] The disturbance data is processed in the similar manner: 

Xoutput = X(1 ) + X(2) - X(3) (34) 
25 [0083] Next, the untransforming process is executed: 

Output = g(Xoutput) = OutputX - Xoutput 
30 = lnputX( 1 ) + I nputX(2) - lnputX(3) 

-(X(1) + X(2)-X(3)) 
= lnput(1) + lnput(2)-lnput(3) (35) 

35 

[0084] In the above manner, the original data can be obtained. This is because the original data can be obtained, in 
the addition/subtraction calculation, by adding a certain value and subtracting the added value from the last process 
result. 

[0085] For the data process f of multiplication/ division, the transforming process and untransforming process can 
40 be realized by selecting multiplication or division as the transformation operation h and division or multiplication as the 
untransformation operation. This is because, similar to the addition/subtraction, the original data can be obtained, in 
the multiplication/division calculation, by multiplying (dividing by) a certain value and dividing (multiplying) the last 
process result by the value. 

[0086] For the data process f of addition and subtraction in modular calculation, addition and subtraction of the 
45 number multiplying the modulus N by a voluntary integer can be selected as the transformation operation h. For ex- 
ample, consider the following addition and subtraction in modular calculation: 

Output = (lnput(1) + lnput(2) - lnput(3)) mod N (36) 

50 

[0087] The input data Input (i) is transformed: 

InputX(i) = Input(i) + k(i) * N (37) 

55 

[0088] By using the transformed input data, the addition and subtraction in modular calculation is executed: 
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OutputX = (lnputX(1 ) + lnputx(2) - lnputx(3)) mod N (38) 

[0089] The equation (38) can be transformed by using the equation (37): 

OutputX = ((lnput(1) + k(1 )* N) 

. + (lnput(2) + k(2) * N) 
- (Input{3) + k(3) * N)) mod N 
= ((lnput(1 ) + lnput(2) - lnput(3)) 
+ (k(1)*N + k(2)*N-k(3)*N))modN (39) 

[0090] By using the property of the modular calculation: 

0 = k * N mod N (40) 

the value in the second parentheses of the equation (3) becomes 0 and the equation (39) is given by: 

OutputX = (lnput(1 ) + lnput(2) - lnput(3)) mod N (41 ) 

[0091] Namely, the calculation result of the transformed input data is the same as the calculation result of the original 
data. This is an example that the disturbance data process and untransforming process are unnecessary if the above- 
described feature of the modular calculation is incorporated. The disturbance data process result: 

Xoutput(i) = (k(1) * N + k(2) * N - k(3) * N) mod N (42) 

is 0 so that the disturbance data process and untransforming process are unnecessary. 

[0092] For the data process f of multiplication in modular calculation, an integer multiple of the modulus N added 
with 1 can be used for the transformation operation h. Consider for example the following multiplication in modular 
calculation: 

Output = lnput(1 ) * lnput(2) * lnput(3) mod N (43) 

[0093] The input data Input(i) is transformed: 

InputX(i) = Input(i) * (k(i) * N + 1 ) (44) 

[0094] By using the transformed input data, the multiplication modular calculation is executed: 

OutputX = lnputX(1 ) * lnputX(2) * lnputX(3) mod N (45) 

[0095] The equation (45) can be transformed by using the equation (44): 

OutputX=(lnput(1)*(k(1)*N + 1)) 
*(lnput(2)*(k(2)*N + 1)) 
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* (lnput(3) * (k{3) * N + 1)) mod N 
= (lnput{1) * lnput(2) * lnput{3)) 
5 *((k(1)*N + 1)*(k(2)*N + 1) 

* ((k(3) * N + 1 )) mod N (46) 

10 [0096] By using the property of modular calculation: 

0 = k * N mod N (47) 

15 the equation (46) is given by: 

OutputX = (lnput(1) * lnput(2) * lnput(3)) 
20 * ( 1*1*1) mod N 

= lnput(1 ) * lnput(2) * lnput(3) mod N (48) 

[0097] Namely, the calculation result of the transformed input data is the same as the calculation result of the original 
25 data. This is also an example that the data processing of the disturance data and the untransform operation are un- 
necessary due to the property of modular calculation. 

[0098] For the function f of multiplication by an integer in modular calculation with modulus N, the transform operation 
h can be selected as multiplication by an invertible number x in this modular calculation. In this case, g is the the 
multiplication by Y such that: 

30 

1 = X * Y mod N (49) 

[0099] A simple example of such numerical values is that X = 2 and Y= (N+1)/2; (N is an odd number). The process 
35 result of original data can be obtained by multiplying X as the transformation operation, and multiplying Y in the un- 
transforming process by the number of X multiplication times. Consider for example the following addition and sub- 
traction in modular calculation: 

4Q Output =lnput(1)*lnput(2)*lnput(3) mod N (50) 

[0100] The input data Input(i) is transformed: 

45 InputX(i) = Input(i) * X (51) 

[0101] By using the transformed input data, the addition/subtraction modular calculation is performed: 

50 OutputX = lnputX(1 ) * lnputX(2) * lnputX(3) mod N (52) 

[0102] If a value multiplied by Y by the number of X multiplication times is selected for the untransforming process 
g, the original data can be obtained by performed the untransforming process g for the butputX: 

55 Output = OutputX * Y * Y * Y mod N 

= lnputX(1) * lnputX(2) * lnputX(3) 
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* Y * Y * Y mod N 

= lnput(1)*X*lnput(2)*X* 
5 lnput(3) *X*Y*Y*Y mod N 

= lnput(1) * lnput(2) * lnput{3) 
10 * X * X * X * Y * Y * Y mod N 

= lnput(1) * lnput(2) * lnput{3) 

*X*Y*X*Y*X*Y mod N 

15 = lnput(1 ) * lnput(2) * lnput(3) mod N (53) 

[0103] For the equation (53), the feature of the equation (49) was used. In this example, although the disturbance 
data process is unnecessary, if the inverse is multiplied in the modulus N by the number of disturbance data multipli- 
20 cation times, in the untransforming process, the correct result can be obtained. 

[0104] It is also necessary to disturb a retrieval operation of data from a table in order not to presume data from the 
current wave shape. An example of disturbance of table data and disturbance of table address will be described by 
taking as an example retrieving data from a table shown in Fig. 33. 

[0105] An exclusive logical OR between the table data shown in Fig. 33 and disturbance data X1 is calculated. For 
25 example, the disturbance data of "9" is selected and an exclusive logical OR between the table value and "9" is cal- 
culated. The results are shown in the table of Fig. 34. Next, in order to disturb the table address, an exclusive logical 
OR between the row number and selected disturbance data X2 of "3" and between the column number and selected 
disturbance data X3 of "2" is calculated to rearrange the table. The results are shown in Fig. 35. The data 3301 of "0" 
at the first row and second column of the original table shown in Fig. 33 is changed to the data 3401 of "9" in the table 
30 shown in Fig. 34 after the exclusive logical OR of the disturbance data X1 is calculated. After the exclusive logical ORs 
between the row number and disturbance data X2 and between the column number and disturbance data X3 is cal- 
culated, the data 3401 moves to the position of data 3501. Such tables are prepared in order to disturb the retrieval 
operation of data from the table. 

[0106] It is assumed herein that a row number variable Gyou and a column number variable Retsu have been trans- 
35 formed already through an exclusive logical OR of disturbance data Y1 and Y2 before the address calculation is exe- 
cuted. Namely, it is assumed that correct row and column numbers Gyou and Retsu cannot be obtained until the 
exclusive logical OR between the Y1 and Y2 and the Gyou and Retsu is calculated. This can be expressed by the 
following relations: 



Retsu = RetsuY2 xor Y2 (55) 

[0107] However, if the table shown in Fig. 33 is used for this untransforming process, the correct address data is 
used so that the address data may be presumed from the current wave shape. Therefore, first, the disturbance data 
X2 and X3 used for disturbing the row and column numbers when the table shown in Fig. 35 was formed, are used: 

GyouY1X2 = GyouYI xorX2 (56) 

RetsuY1X3 = RetsuY2 xor X3 (57) 
[0108] The disturbance data used is then subjected to the untransforming process: 
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GyouX2 = GyouY1X2 xor Y1 



(58) 



5 



RetsuX3 = RetsuY2X3 xor Y2 



(59) 



[0109] With this procedure, the correct row and column numbers are not used so that it is difficult to presume the 
correct row and column numbers from the current wave shape. By using GyouX2 and RetsuX3 and referring to the 
table TableX1X2X3 shown in Fig. 35, data X1 is obtained: 



[01 10] Since the table shown in Fig. 35 is already transformed by the disturbance data X1 , the disturbance data X1 
15 is used in the succeeding process. The processes by the equations (56) to (60) do not use original data. 

[0111] Each time a predetermined amount of processes is executed, the table data disturbance data X1 and row 
and column number disturbance data X2 and X3 are randomly generated to transform the tables. With this transforming 
process, the tables are transformed so that it is difficult to presume the data from the current wave shape. 
[0112] In the foregoing, the type of disturbance data and a method of transforming data have been described. Next, 
20 the sequential processes therefor will be described. Fig. 4 illustrates an embodiment of a fundamental information 
concealment procedure using disturbance data. 

[0113] Fig. 4 illustrates a fundamental procedure. A disturbance data generating unit generates disturbance data Xi 
(401). As a general method therefor, there is a method of generating a random number having a necessary length by 
usingarandom number generator or a pseudorandom number generator. Next, a data transforming process unit (406) 

25 transforms input data D1 (405) by the disturbance data Xi to generate transformed data H1 (407). As described earlier, 
the transforming process may be an exclusive logical OR, addition and subtraction, multiplication and division, or the 
like. A transformed data process unit processes the transformed data H1 (408) to generate processed and transformed 
data H2. A disturbance data process unit performs (403) a similar data process to that of the input data to generate 
processed disturbance data Xo (404). A data untransforming process unit obtains (410) correct processed data D2 by 

30 using the processed disturbance data Xo and processed and transformed data D2 (411). The process to be executed 
by the data transforming unit (406) and data untransforming unit may include, as described earlier, an exclusive logical 
OR, addition and subtraction, multiplication and division, modular calculation, or the like. 

[0114] In the embodiment shown in Fig. 5, two sets of disturbance data are used. An information concealment pro- 
cedure using first disturbance data contains another information concealment procedure using second disturbance 

35 data. The main flow is similar to the embodiment shown in Fig. 4. Transformed data H1 (507) transformed by the first 
disturbance data is processed. The processed and transformed data H2 (509) is transformed by a second data trans- 
forming process unit (510) by using the second disturbance data X2i to thereby generate processed and transformed 
data H3 (511). This processed and transformed data H3 is processed by a second deformed data process unit (512) 
to generate processed and transformed data H4. A second data untransforming process unit (520) untransforms the 

40 second disturbance data to generate processed and transformed data H5 (521). A first data untransforming process 
unit (514) untransforms the first disturbance data to obtain correct processed data D2 (515). An example of transfor- 
mation using an exclusive logical OR is as follows: 



10 



DataXI = TableXIX2X3(GyouX2, RetsuX3) 



(60) 



45 



H1 = D1 xorXli 



H2 = f1(H1) 



X1o = f1(X1i) 



50 



H31 = H2 xor X2i 



H32 = D2 xor X2i 



55 



H4 = f2(H31, H32) 



X2o = f2(X2i, X2i) 
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H5 = H4 xor X2o 



The data processes are represented by f1 and f2. As in this example, since the second data process f2 uses another 
data D2 and this data D2 is transformed by the second disturbance data, the procedure of this embodiment is effective. 
[0115] Also in the embodiment shown in Fig. 6, two sets of disturbance data are used. A significant difference from 
the embodiment shown in Fig. 5 is that an information concealment procedure using first disturbance data is continuous 

10 with another information concealment procedure using second disturbance data. In this procedure of concealing the 
process using correct data, prior to the untransforming process for the first disturbance data, the input data is further 
transformed by using the second disturbance data. Transformed data H1 (609) transformed by the first disturbance 
data is processed by a first transformed data process unit (610). The processed and transformed data H2 (611) is 
transformed by a second transformed data generating unit (612) by using the second disturbance data H2 (611) to 

15 generate processed and transformed data H3 (613). A first data untransforming process unit (605) untransforms for 
the first disturbance data. This process result of processed and transformed data H4 (606) is used for a second trans- 
formed data process unit (614) to generate processed and transformed data H5 (615). A second data untransforming 
process unit (616) untransforms the data to generate correct processed data D2 (617). An example of transformation 
using an exclusive logical OR is as follows: 

20 

H1 = D1 xorXlo 
H2 = f1(H1) 

25 X1o = f1(X1i) 

H3 = H2 xor X2i 

30 H4 = H3xorX1o 

H5 = f2(H4) 
X2o = f2(X2i) 



[0116] This procedure is effective for the case wherein there are a plurality of processes and a plurality set of dis- 
turbance data are used. 

40 [0117] In the embodiment shown in Fig. 7, the disturbance data is processed in advance in order to make the pro- 
cedure efficient. A disturbance data process unit generates in advance processed disturbance data Xo (703) which is 
stored in a processed disturbance data storage unit (706). During the procedure, a data untransforming process unit 
(713) reads the stored processed disturbance data (714) to use it. This procedure is efficient if similar data processes 
are executed a plurality of times. However, since the disturbance data is used a plurality of times, it is more effective 

45 to change the disturbance data each time the data process is executed, as in the embodiment shown in Fig. 4. This 
can be settled from the tradeoff between the process time and the information security. 

[0118] In the embodiment shown in Fig. 8, the untransforming processes for the first and second disturbance data 
is unified, and thereafter, by using the unified result, the data is untransformed. First and second disturbance data 
process units 803 and 807 process the first and second disturbance data to generate processed disturbance data X1o 

so and X2o. These data are unified by a data untransforming and unifying unit to generate unified and processed distur- 
bance data Xo. By using this data, an untransforming process unit (820) untransforms the processed and transformed 
data H4 (819) processed by first and second transformed data process units (814 and 818) to generate correct proc- 
essed data D2. With this procedure, the processed disturbance data is unified and an unified untransforming process 
is executed thereafter, instead of independently executing the untransforming process. This procedure is effective for 

55 the case wherein the untransforming process takes a long process time. 

[0119] Next, embodiments using symmetric cryptographic DES (data encryption standard) will be described. The 
invention is applicable to other cryptographic systems. 

[0120] DES performs encryption and decryption of 64-bit data (plain text or cipher text) by using a cipher key of 
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56-bits. Since the same cipher key is used for both encryption and decryption, DES is called a symmetric cryptography. 
As trump cards are turned randomly, bits of a plain text (to be encrypted) are randomly exchanged and enciphered. 
Data exchange is performed in accordance with the cipher key. When data is deciphered, bits of a cipher text are 
exchanged in the reverse order of the enciphering to recover the original data. Data exchange of DES uses two ex- 
5 change methods one being a one-bit unit basis and the other being a plural-bit unit basis. The former is called permu- 
tation and the latter is called substitution. 

[0121] Referring to Fig. 9, DES cryptography will be described. A transforming process a (901 ), a transforming proc- 
ess b (904), and an untransforming process (916) pertain to the present invention and are not relevant to the essential 
cryptography of DES. A cipher text is subjected first to initial permutation (IP) 902. This permutation is performed by 

10 using an initial permutation table to exchange 64-bit data of the cipher text on the one-bit unit basis. A series of such 
operations is repeated sixteen stages to inverse permutation (IP" 1 ) 915 of the initial permutation. 
[0122] At each stage, a process called an f function 903 is calculated by inputting data of 32 bits of either the first or 
second half at the preceding stage and the cipher key, and then an exclusive logical OR operation 909 is performed 
by using the output of the f function and 32 bits of the remaining half at the preceding stage. Data of the cipher key is 

15 also exchanged. Data of the cipher key is first subjected to selectable permutation PC-1 (905) by using a table PC-1 . 
Thereafter, data of the cipher key is subjected to selectable permutation PC-2 (908) by using a table PC-2. At the next 
stage, each set of 28 bits of the cipher key rounded in accordance with an RS table is used: 

[0123] In this embodiment, before the IP process, the transforming process a (901) for transforming a plain text, 
transforming process b (904) for untransforming a cipher key, and lastly untransforming process (91 6) are additionally 

20 executed. The transforming process a (901 ) transforms a plain text so as to later process the transformed plain text 
and so as not to process the plain text itself by the IP process (902) and f function process (903). Data of the plain text 
therefore becomes hard to be presumed from the current wave shape during the data process. The transforming 
process b (904) transforms a cipher key so as to later process the transformed cipher key and so as not to process 
the cipher key itself by the PC-1 process (905), LS process (907), PC-2 process (908) and f function (903). Data of 

25 the cipher key therefore becomes hard to be presumed from the current wave shape during the data process. 

[0124] The process by the f function is illustrated in Fig. 10. Data input to the f function is subjected to selectable 
(expanding) permutation by using an E selectable permutation matrix (1 002). Next, an exclusive logical OR is calculated 
between the cipher key and a result of the selectable permutation for the input data (1 003), an S box process is executed 
(1004), and a P permutation process is executed (1005). In the S box process, each 6-bit set is extracted from 48 bits 

30 which are a result of the exclusive logical OR at 1003, to acquire the row and column numbers of an S box table and 
generate 4-bit data. The contents of the S box table change with the position of each 6-bit set. The P permutation 
process exchanges the bit positions of 32 bits by using a P permutation table. 

[0125] The transforming process a (901 ) and transforming process b (902) are fundamentally the same. With refer- 
ence to Fig. 1 1 , the transforming process a for transforming data of a plain text will be described. Disturbance data X1 

35 is randomly generated. The disturbance data is generated by using a random number generator or a pseudo random 
number each time an encryption (or decryption) process of DES is performed (1102). Different disturbance data is 
therefore used for each process. Next, an XOR (exclusive logical OR) between the disturbance data X1 and a plain 
text P1 is calculated to generate a transformed plain text (PX1 (1103). Although a plain text of DES has 64 bits, the 
random number may be either 64 bits or 8 bits. In this case, if the number of bits of the random number is smaller than 

40 64 bits, it is necessary to expand it to obtain the disturbance data X1 of 64 bits. If the generated random number has 
8 bits, this number may be repeated eight times to generate the disturbance data X1 of 64 bits. Since the exclusive 
logical OR (XOR) was used for transformation, XOR between the disturbance data X1 and transformed plain text PX1 
generates the plain text P. 

[0126] The transforming process b (904) for transforming data of a cipher key is illustrated in Fig. 36. A different point 
45 from the embodiment shown in Fig. 11 is that a cipher key K and disturbance data X2 are used in place of a plain text 
and disturbance data X1 . A cipher key of DES has 64 bits same as that of a plain text. With the transforming process 
b, a transformed cipher key KX2 is generated. 

[0127] Next, the IP process (902) will be described. The IP process exchanges the positions of a plain text having 
64 bits by using a table shown in Fig. 37. In accordance with this table, the first bit of an output is exchanged with the 

so 58-th bit of an input, the second bit of the output is exchanged with the 50-th bit of the input and the 64-th bit of the 

output is exchanged with the 7-th bit of the input. The IP process of this embodiment will be described with reference 
to Fig. 12. First, the transformed plain text PX1 is subjected to the IP process to generate an IP processed and trans- 
formed plain text PX1IP (1202). Bit exchange is performed conforming to the table shown in Fig. 37. Next, the distur- 
bance data X1 is also subjected to the IP process to generate an IP processed and transformed disturbance data X1 IP 

55 (1203). An exclusive logical OR between the IP processed and transformed plain text PX1IP and IP processed and 
transformed disturbance data X1IP can generate a result of IP processed plain text. This is because a relation is 
retained in which the disturbance data moves in a similar manner to the transformed plain text PX1 because of a bit 
motion of the IP process and so the exclusive logical OR of a one-bit unit basis generates correct data. The lower 32 
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bits of the result of the IP process are used by a first stage f function (903) and a second stage exclusive logical OR, 
whereas the upper 32 bits are input for the exclusive logical OR (909). 

[0128] In the IP process, the values of bits of the transformed plain text PX1 are different from the values of bits of 
the original plain text. It is therefore difficult to presume the data of the original plain text from the current wave shape 

5 during the IP process. The larger the number of "1" bits, the large the consumption current. However, the number of 
"1 " bits of the transformed plain text is related not at all to the number of "1" bit of the original plain text, and so it is 
difficult to presume the data of the original plain text. As above, since the plain text is transformed by using disturbance 
data, presuming the original data is difficult even if the current wave shape during the process is monitored. 
[0129] With the PC-1 process, a PC-1 transformation table shown in Fig. 38 is used, a cipher key of 64 bits is changed 

10 to a cipher key of 56 bits by removing the parity bits of 8 bits, and the order of 56 bits is exchanged. The table shown 
in Fig. 38 is used in a similar manner to the table shown in Fig. 37. An exclusive logical OR between the PC-1 processed 
and transformed cipher key KX2PC1 and PC-1 processed and transformed disturbance data X2PC1 can generate a 
correct PC-1 processed and transformed cipher key. 

[01 30] With the LS process, the cipher key of 56 bits generated by the PC-1 process is divided into right 28 bits and 
is left 28 bits which are then shifted one bit or two bits to the left in accordance with an LS table. This embodiment will 
be described with reference to Fig. 15. First, at 1502 the PC-1 processed and transformed cipher key KX2PC1 is 
subjected to the LS process to generate a PC-1 and LS processed and transformed cipher key KX2PC1LS. At 1503 
the PC-1 processed disturbance data X2PC1 is subjected to the LS process to generate a PC-1 and LS processed 
disturbance data X2PC1LS. Since the LS process also uses bit position exchange, an exclusive logical OR between 
20 the PC-1 and LS processed and transformed cipher key KX2PC1LS and PC-1 and LS processed disturbance data 
X2PC1LS can generate a correct LS processed cipher key. Since the LS process also uses the disturbance data and 
the data of the cipher key actually processed is different from the original cipher key, it is difficult to presume the cipher 
key even if the current wave shape is monitored. 

[0131] The PC-2 process executes a reduction permutation for changing the 56-bit data generated by the LS process 
25 to 48-bit data in accordance with a PC-2 table. At 1402, the PC-1 and LS processed and transformed cipher key 
KX2PC1 LS is subjected to the PC-2 process to generate a PC-1 , LS and PC-2 processed and transformed cipher key 
KX2PC1LSPC2. At 1403, the PC-1 and LS processed disturbance data X2PC1 LS is subjected to the PC-2 process to 
generate a PC-1 , LS and PC-2 processed disturbance data X2PC1 LSPC2. Basically, this PC-2 process uses the table 
for permutation so that it is fundamentally the same as the PC-1 process. 
30 [0132] Next, the. process for the f function 903 will be described. As shown in Fig. 10, the f function includes a 
selectable permutation E process (1002), an exclusive logical OR (1003) between a cipher key and an execution result 
of selectable permutation, an S box process (1004), and a P permutation process (1005). 

[0133] The selectable permutation E process will be described with reference to Fig. 16. Similar to the IP process, 
the selectable permutation E process exchanges the order of bits by using a permutation table shown in Fig. 28. At 

35 1 602 the IP processed and transformed plain text PXIP is subjected to the selectable permutation E process to generate 
an IP processed, E permutated and transformed plain text PXIPE. At 1603 the IP processed disturbance data XIP is 
subjected to the selectable permutation E process to generate an IP processed, E permutated disturbance data XIPE. 
Similar to the IP process and PC-1 process, an exclusive logical OR between the IP processed, E permutated and 
transformed plain text PXIPE and IP processed, E permutated disturbance data XIPE can generate a correct IP proc- 

40 essed, E permutated plain text. Since the values of bits exchanged by using the permutation E table are different from 
those of original bits, it is difficult to presume the correct data even if the current wave shape is monitored during this 
process. 

[0134] Next, the second process (1003) of the f function, i.e., an exclusive logical OR between the cipher key and 
an execution result of selectable permutation, will be described with reference to Fig. 17. At 1702 an XOR is calculated 

45 between the IP processed, E permutated and transformed plain text PXIPE generated from the plain text and the PC- 
1, LS and PC-2 processed and transformed cipher key KX2PC1LSPC2 generated from the cipher key to generate 
48-bit S box input data SinputX which is used as an input for the S box process. Next, at 1703 an XOR is calculated 
between the IP processed, E permutated disturbance data XIPE generated from the disturbance data for the plain text 
and the PC-1, LS and PC-2 processed disturbance data X2PC1LSPC2 generated from the disturbance data for the 

50 cipher key to generate S box input data disturbance data XSinput which is used as the disturbance data for the S box 
input data SinputX. Basing upon the characteristics of an exclusive logical OR, the S box input data disturbance data 
XSinput can be generated by an XOR between the two sets of disturbance data (the IP processed, E permutated 
disturbance data XIPE and the PC-1, LS and PC-2 processed disturbance data X2PC1LSPC2). This will be clarified 
by using a simple example. A plain text is represented by P, a cipher key is represented by K, a transformed plain text 

55 is represented by PX1 , and a transformed cipher key is represented by KX2. The relations among them are given by 
the following equations (63) and (64) where X1 and X2 are disturbance data for the plain text and cipher key, respec- 
tively: 
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PX1 = P xor X1 



KX2 = K xor X2 



[0135] If an execution result of the exclusive logical OR between P and K is represented by Z, then the relation 
between Z and an execution result Z1 of the exclusive logical OR between PX1 and PX2 is given by: 

Z = P xor K (65) 

Z1 = PX1 xor KX2 
= (PxorX1)xor (KxorX2) 

= P xor X1 xor K xor X2 
= (P xor K) xor (X1 xor X2) 

= Z xor (X1 xor X2) (66) 

[0136] It can be understood from the above equation that as the disturbance data for recovering the correct data of 
Z1, the exclusive logical OR between P and K disturbance data can be used. In the exclusive logical OR process 
between the cipher key and the execution result of selectable permutation, the S box input data disturbance data 
XSinput can be used as the disturbance data for the S box input data SinputX, the S box input data disturbance data 
XSinput being generated by an XOR between the IP processed, E permutated disturbance data XIPE generated from 
the disturbance data for the plain text and the PC-1 , LS and PC-2 processed disturbance data X2PC1 LSPC2 generated 
from the disturbance data for the cipher key. 

[0137] Next, the S box process will be described with reference to Fig. 18. Eight S boxes are formed each being 
constituted of 6 bits of the S box input data SinputX. The first S box used in DES is shown in Fig. 25. Although the 
format of each of the eight S box is the same, the data in each field is different. In the S box process for each S box, 
first the sub-data SubSinputX(i) of 6 bits is derived from the S box input data Sinput at the upper i-th (1805). An XOR 
is calculated between this SubSinputX(i) and address disturbance data Xsa(i) for an S box table transformed in advance 
from the S box, to generate SubSinputXXsa(i) (1806). An XOR is calculated between this SubSinputXXsa(i) and six 
bits of the S box input data disturbance data XSinput at the upper i-th, to generate SubSinputXsa(i) (1807). This Sub- 
SinputXsa(i) is the XORed data of the address disturbance data Xsa(i) and the correct address data to be used for 
deriving the i-th S box. Since the exclusive logical OR (XOR) between SubSinputX(i) and XSinput(i) recovers correct 
data, an XOR between SubSinputX(i) and Xsa(i) is calculated and the XOR between the result and XSinput(i) is cal- 
culated. With this method, it is not necessary to process the original data so that the original data is difficult to be 
presumed from the current wave shape. Next, an address of the transformed S box table is calculated by using Sub- 
SinputXsa(i) (1808). Since the address for accessing the original S box table is transformed, it is also necessary to 
transform the table. By using the calculated address, S box output data SoutX3(i) is retrieved from the transformed S 
box table S(i) (1809). At the same time, disturbance data X3(i) for the S box output data SoutputX3(i) is retrieved 
(1810). After the eight S boxes are processed, data of SoutputX3(i) and X3(i) for i = 1 to 8 is connected together to 
generate SoutputX3 and X3. SoutputX3 is used as the process data and X1 is used as the disturbance data in the 
succeeding processes. 

[0138] Next, a method of generating the transformed S box table will be described with reference to Figs. 23 and 
24. Address disturbance data Xsa(i) and data disturbance data X3(i) are generated from an S(i) box (2306). Xsa(i) has 
6 bits and X3(i) has 4 bits. The disturbance data X3 has 32 bits collected from eight X3(i) each having 4 bits. Next, a 
transformed S(i) box table forming routine is called (2307). The i-th transformed S box table forming routine will be 
described with reference to Fig. 24. k is used for designating a row number, and 1 is used for designating a column 
number. The process for the k-th row and 1-th column is illustrated from 2408 to 2413. The first S box table is shown 
in Fig. 25. First, data d at the k-th row and 1-th column is picked up from the i-th original S box (2408). An exclusive 
logical OR between the data d and the disturbance data X3(i) is calculated to generate data d2 (2409). If the disturbance 
data is "7", the transformed data of the original S box data at 2504 is indicated at 2604. This operation is executed for 
all the fields to obtain a transformed S box table shown in Fig. 26. This table shown in Fig. 26 is formed through 
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exclusive logical OR operations between the first S box data and the disturbance data "7". 

[0139] Next, the address is disturbed. First, Xsa1 is formed from two bits including the upper first bit and the lower 
first bit of Xsa(i), and Xsa2 is formed from four bits including the bits from the upper second bit to upper fifth bit of Xsa 
(i). This process is originated from the S box address calculation method. By representing the row and column numbers 

5 of the table shown in Fig. 26 by k and 1, exclusive logical OR operations between the Xsa1 and Xsa2 for respective 
row and column are executed (2412). By representing the new row and column numbers by k2 and 12, the data d2 is 
stored in the i-th transformed S box table S(i) at the k2-th row and 12-th column (2413). An example of this process is 
illustrated in Fig. 27. The table shown in Fig. 27 is formed by using disturbance data "2" and "9" for the row and column 
shown in Fig. 26. In this table, for the simplicity purpose, the position of data at each row and each column is not 

10 changed and only the row and column numbers are changed. The data "12" indicated at 2504 at the third row and first 
column of the table shown in Fig. 25 is moved to the first row and eighth column in Fig. 27 and its value is changed to 
"11". In this example, the data disturbance data is 7", and the address disturbance data has the row number of "2" and 
the column number of "9". In this manner, the eight S boxes are transformed. In this embodiment, this process is 
executed at the first stage of DES. The transformed S boxes are used at sixteen stages of DES. 

15 [0140] After the S box process, 32-bit SoutputX3 is used as process data and 32-bit X3 is used as disturbance data, 
which are supplied to the permutation P process (1005) which is the last process of the f function. The permutation P 
process will be described with reference to Fig. 19. SinputX3 supplied from the S box process is subjected to the 
permutation P process to generate SinputX3P (1902). The disturbance data X3 for SinputX3 is subjected to the per- 
mutation P process to generate X3P (1 903). A table used for the permutation P process is shown in Fig. 29. This table 

20 js used in a similar manner to that of the IP process table. 

[0141] After the f function process is completed, an XOR between a result of the permutation P process and a result 
at the preceding stage is calculated (909, 914). Specifically, an XOR is calculated between SinputX3P obtained by the 
permutation P process for the S box process result and a result at the preceding stage (2002). An XOR is calculated 
between X3P and the disturbance data X at the preceding stage (2003). This XOR process is the same as that (1701 ) 

25 between the selectable permutation E process result and the cipher key. 

[0142] In DES, the IP" 1 process (915) is executed at the last stage. This process is illustrated in Fig. 21. The IP-1 
process is a bit position exchange process similar to the IP process, and uses an IP-1 table instead of the IP table 
(2102). The process result obtained by the above-described processes is subjected to the IP-1 process, and the dis- 
turbance data X is also subjected to the IP-1 process (2103). 

30 [0143] Lastly, in order to recover the correct process result, the untransforming process is executed (916) which is 
illustrated in Fig. 22. An XOR between the IP-1 process result and the IP-1 processed disturbance data X generates 
a correct result. The correct process result not transformed can be obtained at the first time at this stage. 
[0144] To conceal the process data has been described above. There is the case that the disturbance data is also 
required to be concealed. The fundamental concept is to transform the disturbance data through an exclusive logical 

35 OR between the disturbance data and disturbance data XR for disturbance. In this case, XR is fixed and XRo for the 
untransformation is obtained in advance by calculating bit position exchange or the like. When the disturbance data 
becomes necessary, the original disturbance data is obtained by using XRo. First, this process will be described by 
taking disturbance data for the cipher key as an example. The process illustrated in Fig. 30 is a disturbance data 
transforming process through an exclusive logical OR between the disturbance data for a cipher key and the disturbance 

40 data XR for disturbance. After the transforming process b (3601 ) generates the disturbance data X2, the disturbance 
data transforming process shown in Fig. 30 is executed. The disturbance data X2 for the cipher key is subjected to the 
PC-1 process, LS process and PC-2 process. These processes perform the bit exchange at predetermined bit positions. 
Therefore, for the predetermined value XR, the disturbance data XRo subjected to the processes up to the PC-2 
process is calculated and stored in advance (3102 to 3105). After the PC-2 process, an XOR is calculated (3202) 

45 between the PC-1 , LS, PC-2 processed disturbance data X2PC1 LSPC2 generated at 1403 and the stored disturbance 
data XRo can generate correct PC-1 , LS, PC-2 processed disturbance data X2PC1LSPC2. With these processes, the 
disturbance data can also be concealed. The same data may be used as the disturbance data XR for disturbance and 
as the processed, disturbance transformed data XRo. 

[0145] The embodiments for DES are related to encryption. Since nearly the same DES algorithm is used also for 
50 decryption, the embodiments can be applied also to decryption, by hardly modifying the embodiments. Cryptographic 
algorithms other than DES use many permutation processes, substitution processes and modular calculations. There- 
fore, the invention can be applied to such algorithms to make it difficult to alter data and presume original data through 
observation of current wave shapes. 

[0146] According to the present invention, data to be processed by an IC card chip is transformed so that it is difficult 
55 to presume processes and a cipher key through observation of current wave shapes. 
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Claims 

1. An information processing equipment comprising 

a storage memory including a program storage unit and a data storage unit, 

a central processing unit for executing a data process in accordance with the program, the program including 
one or more data process means each being a process instruction for giving an execution instruction to said central 
processing unit, and 

input data processing means wherein one data processing means processes input data and outputs the 
processed data, 

characterised by 

data transforming process means (406) for transforming input data D1 by using disturbance data Xi to gen- 
erate transformed data H1, 

transformed data processing means (408) for executing an operation process OP1 for the transformed data 
H1 in place of the operation process OP1 for the input data D1 to be executed by said input data processing means, 
to generate processed and transformed data H2, 

disturbance data processing means (403) for executing the operation process OP1 for the disturbance data 
Xi to generate processed disturbance data Xo, and 

data untransforming processing means (410) for executing an operation process OP2 for the processed and 
transformed data H2 by using the processed disturbance data Xo, to generate processed data D2 which is a result 
of the operation process OP1 for the input data D1. 

2. An information processing equipment comprising 

a storage memory including a program storage unit and a data storage unit, and 

a central processing unit for executing a data process in accordance with the program, the program including 
one or more data process means, 
characterised by 

means (506) for executing a predetermined 

operation process OP1 for first input data D1 by using first disturbance data X1 i to generate transformed 
data H1 of the first input data D1 , without executing the operation process OP1 for the first input data D1 to generate 
first processed data D2, 

means (508) for executing the operation process OP1 or another operation process OPT different from the 
operation process OP1 for the transformed data H1 to generate processed and transformed data H2, 

means (503) for executing either the operation process OP1 or the other operation process OPT for the first 
disturbance data X1i to generate first processed disturbance data X1o, 

means (510) for generating processed and transformed data H3 by transforming the processed and trans- 
formed data H2 by using second disturbance data X2i, 

means (512) for executing either the operation process OP1 or the other operation process OP1' for the 
processed and transformed data H3 to generate processed and transformed data H4, 

means (518) for executing either the operation process OP1 or the other operation process OP1' for the 
second disturbance data X2i to generate second processed disturbance data X2o, 

means (520) for processing the processed and transformed data H4 by using the second processed distur- 
bance data X2o to generate processed and transformed data H5, and 

means (514) for processing the processed and transformed data H5 by using the first processed disturbance 
data X1o to generate the first processed data D2. 

3. An information processing equipment comprising 

a storage memory including a program storage unit and a data storage unit, and 

a central processing unit for executing a data process in accordance with the program, the program including 
one or more data process means, 
characterised by 

means (607) for executing a predetermined 

operation process OP1 for first input data D1 by using first disturbance data X1i to generate transformed 
data H1 of the first input data D1 , without executing the operation process OP1 for the first input data D1 to generate 
first processed data D3, 

means (610) for executing the operation process OP1 or another operation process OP1" different from the 
operation process OP1 for the transformed data H1 to generate processed and transformed data H2, 

means (603) for executing either the operation process OP1 or the other operation process OP1" for the first 
disturbance data X1 i to generate first processed disturbance data X1o, 
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means (612) for generating processed and transformed data H3 by transforming the processed and trans- 
formed data H2 by using second disturbance data X2i, 

means (605) for executing an untransforming process for the processed and transformed data H3 by using 
the first processed disturbance data X1o to generate processed and transformed data H4, 

means (614) for executing either a predetermined operation process OP2 or another operation process OP2' 
different from the operation process OP2 for the processed and transformed data H4 to generate processed and 
transformed data H5, without executing the operation process OP2 for the first processed data D3 to generate the 
first and second processed data D2, 

means (620) for executing either the operation process OP2 or the other operation process OP2" for the 
second disturbance data X2i to generate second processed disturbance data X2o, and 

means (616) for processing the processed and transformed data H5 by using the second processed distur- 
bance data X2o to generate the processed data D2. 

An information processing equipment characterised by 

means (812) for executing a predetermined operation process OP1 for first input data D1 by using first dis- 
turbance data X1i to generate transformed data H1 of the first input data D1, without executing the operation 
process OP1 for the first input data D1 to generate first processed data D3, 

means (814) for executing the operation process OP1 or another operation process OP1' different from the 
operation process OP1 for the transformed data H1 to generate processed and transformed data H2, 

means (803) for executing either the operation process OP1 or the other operation process OP1 ' for the first 
disturbance data X1i to generate first processed disturbance data X1o, 

means (816) for generating processed and transformed data H3 by transforming the processed and trans- 
formed data H2 by using second disturbance data X2i, 

means (818) for executing an untransforming process for the processed and transformed data H3 by using 
the first processed disturbance data X1o to generate processed and transformed data H4, 

means for executing either a predetermined operation process OP2 or another operation process OP2' dif- 
ferent from the operation process OP2 for the processed and transformed data H4 to generate processed and 
transformed data H5, without executing the operation process OP2 for the first processed data D3 to generate the 
first and second processed data D2, 

means (807) for executing either the operation process OP2 or the other operation process OP2' for the 
second disturbance data X2i to generate second processed disturbance data X2o, 

means (809) for generating unified disturbance data Xo by unifying the first and second processed distur- 
bance data X1 o and X2o, and 

means (820) for executing an untransforming process for the processed and transformed data H4 by using 
the unified disturbance data Xo to generate the processed data D2. 

The equipment of claim 1, further comprising 

means (704) for storing the processed disturbance data Xo, and 

means (713) for processing the processed and transformed data by using the stored, processed disturbance 
data Xo to generate new processed, transformed data. 

The equipment of any preceding claim, wherein the disturbance data is generated by using a random number. 

The equipment of claim 1 , wherein 

the data transforming process is (a) an exclusive logical OR process, or (b) an addition operation, or (c) a 
subtraction operation, or (d) a multiplication operation, or (e) a division operation between the disturbance data Xi 
and the input data D1 , and 

the data untransforming process is (a) an exclusive logical OR process, or (b) a subtraction operation, or (c) 
an addition operation, or (d) a division operation, or (e) a multiplication operation between the processed distur- 
bance data Xo and the processed and transformed data H2. 

The equipment of claim 1, wherein, if the input data process includes an addition/subtraction process in a modular 
calculation, the data transforming process uses an addition/subtraction of a number multiplying a modulus N by 
an arbitrary integer. 

The equipment of claim 1, wherein, if the input data process includes a multiplication process in a modular calcu- 
lation and numbers X and Y satisfy 1 = X * Y mod N, 
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(a) X is multiplied by an integer in the modular calculation of the data transforming process, and 

Y is multiplied by an integer by the number of times said data transforming processing means multiplied X, or 

(b) (N+1 )/2 is multiplied by an integer in the modular calculation of the data transforming process, by using N 
as a modulus of the modular calculation, and 

2 is multiplied by an integer by the number of times said data transforming processing means multiplied (N+1) 
12, in the data untransforming process, or 

(c) 2 is multiplied by an integer in the modular calculation of the data transforming process, and 

(N+1 )/2 is multiplied by an integer by the number of times said data transforming processing means multiplied 
2, in.the data untransforming process, by using N as a modulus of the modular calculation. 

10. The equipment of claim 1, wherein the data transforming process regularly changes positions of array data, and 
the data untransforming process accesses the array data changed by the data transforming process. 

11. The equipment of claim 10, wherein the positions of the array data are regularly changed through an exclusive 
logical OR between an index (argument) of the array data and a certain number, an exclusive logical OR between 
the index of the array data and the number used by the data transforming process is used as an index of the 
transformed data array, and the data untransforming process accesses the array data in accordance with the 
transformed index. 

12. The equipment of claim 1, wherein the operation process OP1 is (a) a permutation process of exchanging data 
on a one-bit unit basis, or (b) a substitution process of exchanging data on a one-bit unit basis, or (c) a process 
of exchanging data by using a table, and the data transforming process and the data untransforming process are 
an exclusive logical OR process for the data. 

13. An information processing equipment, comprising a processing unit for processing input data in accordance with 
a computer program and outputting the processed data, characterised by 

means (709) for transforming input data D1 by using disturbance data Xi to generate transformed data H1, 
without executing a predetermined operation process OP1 for the input data D1 to generate processed data D2, 

means (712) for executing the operation process OP1 or another operation process OPT different from the 
operation process OP1 for the transformed data H1 to generate processed and transformed data H2, 

means (701) for executing either the operation process OP1 or the other operation process OP1' for the 
disturbance data Xi to generate processed disturbance data Xo, and 

means (713) for executing a data untransforming process OP2 for the processed and transformed data H2 
by using the processed disturbance data Xo to generate the processed data D2 as a result of the operation process 
OP1 for the input data D1. 



PatentansprUche 

1. Informationsverarbeitungseinrichtung mit 

einem Speicher mit einer Programmspeichereinheit und einer Datenspeichereinheit, 

einerZentralverarbeitungseinheit zum Ausfuhren eines Datenprozesses entsprechend dem Programm, wo- 
bei das Programm ein oder mehrere Datenverarbeitungseinrichtungen aufweist, deren jede ein ProzelSbefehl ist, 
urn der Zentralverarbeitungseinheit einen AusfOhrungsbefehl zu erteiten, und 

einer Eingabedaten-Verarbeitungseinrichtung, wobei eine Datenverarbeitungseinrichtung Eingabedaten 
verarbeitet und die verarbeiteten Daten ausgibt, 

gekennzeichnet durch 

eine Daten umwandelnde Verarbeitungseinrichtung (406) zum Umwandeln von Eingabedaten D1 unter Ver- 
wendung von St6rdaten Xi zur Erzeugung umgewandelter Daten H1 , 

eine umgewandelte Daten verarbeitende Einrichtung (408) zum Ausfuhren eines Operationsprozesses OP1 
an den umgewandelten Daten H1 anstelle des von der Eingabedaten-Verarbeitungseinrichtung auszufuhrenden 
Operationsprozesses OP1 fur die Eingabedaten D1, um verarbeitete und umgewandelte Daten H2 zu erzeugen, 

eine Stbrdaten-Verarbeitungseinrichtung (403) zum Ausfuhren des Operationsprozesses OP1 an den Stor- 
daten Xi zur Erzeugung verarbeiteter Stfirdaten Xo und 

eine Datenruckwandlungseinrichtung (410) zum Ausfuhren eines Operationsprozesses OP2 an den verar- 
beiteten und umgewandelten Daten H2 unter Verwendung der verarbeiteten StSrdaten Xo zur Erzeugung verar- 
beiteter Daten D2 als Ergebnis des Operationsprozesses OP1 an den Eingabedaten D1. 
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Informationsverarbeitungseinrichtung mit 

einem Speicher mit einer Programmspeichereinheit und einer Datenspeichereinheit und 

einer Zentralverarbeitungseinheitzum Ausfiihren eines Datenprozesses entsprechend dem Programm, wo- 

bei das Programm ein Oder mehrere Datenverarbeitungseinrichtungen enthait, 
gekennzeichnet durch 

eine Einrichtung (506) zum AusfOhren eines vorgegebenen Operationsprozesses OP1 an ersten Eingabe- 
daten D1 unter Verwendung erster Stordaten X1i zur Erzeugung umgewandelter Daten H1 der ersten Eingabe- 
daten D1, ohne AusfQhrung des Operationsprozesses OP1 an den ersten Eingabedaten D1 zur Erzeugung erster 
verarbeiteter Daten D2, 

eine Einrichtung (508) zum Ausfiihren des Verarbeitungsprozesses OP1 Oder eines von diesem verschte- 
denen weiteren Operationsprozesses OP1' an.den umgewandetten Daten H1 zur Erzeugung verarbeiteter und 
umgewandelter Daten H2, 

eine Einrichtung (503) zum AusfOhren entweder des Operationsprozesses OP1 oder des weiteren Operati- 
onsprozesses OP1' an den ersten St6rdaten X1i zur Erzeugung erster verarbeiteter Stordaten X1o, 

eine Einrichtung (510) zum Erzeugen verarbeiteter und umgewandelter Daten H3 durch Umwandeln der 
verarbeiteten und umgewandelten Daten H2 unter Verwendung zweiter Stordaten X2i, 

eine Einrichtung (512) zum AusfOhren entweder des Operationsprozesses OP1 oder des weiteren Operati- 
onsprozesses OP1' an den verarbeiteten und umgewandelten Daten H3 zur Erzeugung verarbeiteter und umge- 
wandelter Daten H4, 

eine Einrichtung (518) zum AusfOhren entweder des Operationsprozesses OP1 oder des weiteren Operati- 
onsprozesses OP1' an den zweiten Stordaten X2i zur Erzeugung zweiter verarbeiteter Stordaten X2o, 

eine Einrichtung (520) zum Verarbeiten der verarbeiteten und umgewandelten Daten H4 unter Verwendung 
der zweiten verarbeiteten Stbrdaten X2o zur Erzeugung verarbeiteter und umgewandelter Daten H5, und 

eine Einrichtung (514) zum Verarbeiten der verarbeiteten und umgewandelten Daten H5 unter Verwendung 
der ersten verarbeiteten Stordaten X1o zur Erzeugung der ersten verarbeiteten Daten D2. 

Informationsverarbeitungseinrichtung mit 

einem Speicher mit einer Programmspeichereinheit und einer Datenspeichereinheit und 

einer Zentralverarbeitungseinheit zum AusfOhren eines Datenprozesses entsprechend dem Programm, wo- 

bei das Programm ein oder mehrere Datenverarbeitungseinrichtungen enthalt, 
gekennzeichnet durch 

eine Einrichtung (607) zum AusfOhren eines vorgegebenen Operationsprozesses OP1 an ersten Eingabe- 
daten D1 unter Verwendung erster Stordaten X1i zur Erzeugung umgewandelter Daten H1 der ersten Eingabe- 
daten D1, ohne AusfQhrung des Operationsprozesses OP1 an den ersten Eingabedaten D1 zur Erzeugung erster 
verarbeiteter Daten D3, 

eine Einrichtung (610) zum AusfOhren des Operationsprozesses OP1 oder eines von diesem verschiedenen 
Operationsprozesses OP1' an den umgewandelten Daten H1 zur Erzeugung verarbeiteter und umgewandelter 
Daten H2, 

eine Einrichtung (603) zum AusfOhren entweder des Operationsprozesses OP1 oder des weiteren Operati- 
onsprozesses OP1' an den ersten Stfirdaten X1i zur Erzeugung erster verarbeiteter Stordaten X1o, 

eine Einrichtung (610) zum Erzeugen verarbeiteter und umgewandelter Daten H3 durch Umwandeln der 
verarbeiteten und umgewandelten Daten H2 unter Verwendung zweiter Stordaten X2i, 

eine Einrichtung (605) zum AusfOhren eines ROckwandlungsprozesses an den verarbeiteten und umgewan- 
delten Daten H3 unter Verwendung der ersten verarbeiteten St6rdaten X1o zur Erzeugung verarbeiteter und um- 
gewandelter Daten H4, 

eine Einrichtung (614) zum AusfOhren entweder eines vorgegebenen Operationsprozesses OP2 oder eines 
von diesem verschiedenen weiteren Operationsprozesses OP2' an den verarbeiteten und umgewandelten Daten 
H4 zur Erzeugung verarbeiteter und umgewandelter Daten H5, ohne AusfQhrung des Operationsprozesses OP2 
an den ersten verarbeiteten Daten D3 zur Erzeugung der ersten und der zweiten verarbeiteten Daten D2, 

eine Einrichtung (620) zum AusfOhren entweder des Operationsprozesses OP2 oder des weiteren pperati- 
onsprozesses OP2' an den zweiten Stordaten X2i zur Erzeugung zweiter verarbeiteter Stordaten X2o, und 

eine Einrichtung (616) zum Verarbeiten der verarbeiteten und umgewandelten Daten H2 unter Verwendung 
der zweiten verarbeiteten Stordaten X2o zur Erzeugung der verarbeiteten Daten D2. 

Informationsverarbeitungseinrichtung, gekennzeichnet durch 

eine Einrichtung (812) zum AusfOhren eines vorgegebenen Operationsprozesses OP1 an ersten Eingabe- 
daten D1 unter Verwendung erster Stordaten X1i zur Erzeugung umgewandelter Daten H1 der ersten Eingabe- 
daten D1 , ohne AusfQhrung des Operationsprozesses OP1 an den ersten Eingabedaten D1 zur Erzeugung erster 
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verarbeiteter Daten D3, 

eine Einrichtung (814) zum Ausfiihren des Operationsprozesses OP1 odereines von diesem verschiedenen 
weiteren Operationsprozesses OP1' an den umgewandelten Daten H1 zur Erzeugung verarbeiteter und umge- 
wandelter Daten H2, 

eine Einrichtung (803) zum Ausfiihren entweder des Operationsprozesses OP1 oder des weiteren Operati- 
onsprozesses OP1" an den ersten Stordaten X1i zur Erzeugung erster verarbeiteter Stordaten X1o, 

eine Einrichtung (816) zum Erzeugen verarbeiteter und umgewandelter Daten H3 durch Umwandeln der 
verarbeiteten und umgewandelten Daten H2 unter Verwendung zweiter Stordaten X2i, 

eine Einrichtung (818) zum Ausfiihren eines RQckwandlungsprozesses an den verarbeiteten und umgewan- 
delten Daten H3 unter Verwendung der ersten verarbeiteten Stordaten X1o zur Erzeugung verarbeiteter und um- 
gewandelter Daten H4, 

eine Einrichtung zum Ausfiihren entweder eines vorgegebenen Operationsprozesses OP2 Oder eines von 
diesem verschiedenen weiteren Operationsprozesses OP2' an den verarbeiteten und umgewandelten Daten H4 
zur Erzeugung verarbeiteter und umgewandelter Daten H5, ohne Ausfuhrung des Operationsprozesses OP2 an 
den ersten verarbeiteten Daten D3 zur Erzeugung der ersten und der zweiten verarbeiteten Daten D2, 

eine Einrichtung (807) zum Ausfiihren entweder des Operationsprozesses OP2 oder des weiteren Operati- 
onsprozesses OP2" an den zweiten Stordaten X2i zur Erzeugung zweiter verarbeiteter Stordaten X2o, 

eine Einrichtung (809) zum Erzeugen einheitlicher Stordaten Xo durch Vereinheitlichen der ersten und der 
zweiten verarbeiteten Stordaten X1o und X2o, und 

eine Einrichtung (820) zum Ausfiihren eines RQckwandlungsprozesses an den verarbeiteten und umgewan- 
delten Daten H4 unter Verwendung der einheitlichen Stordaten Xo zur Erzeugung der verarbeiteten Daten D2. 

5. Einrichtung nach Anspruch 1 mit ferner 

einer Einrichtung (704) zum Speichern der verarbeiteten Stordaten Xo, und 

einer Einrichtung (71 3) zum Verarbeiten der verarbeiteten und umgewandelten Daten unter Verwendung der 
gespeicherten verarbeiteten StSrdaten Xo zur Erzeugung neuer verarbeiteter umgewandelter Daten. 

6. Einrichtung nach einem der vorhergehenden Anspruche, wobei die Stdrdaten unter Verwendung einer Zufallszah! 
erzeugt werden. 

7. Einrichtung nach Anspruch 1 , wobei 

der Datenumwandlungsprozeli (a) ein logischer Exklusiv-ODER-Prozefi oder (b) ein Addierprozefi oder (c) 
ein Subtraktionsprozeli oder (d) ein Multiplikationsprozeli oder (e) ein Divisionsprozefi zwischen den Stordaten 
Xi und den Eingabedaten D1 ist und 

der Datenruckwandlungsprozefi (a) ein logischer Exklusiv-ODER-Prozeli Oder (b) ein Subtraktionsprozeli 
oder (c) ein Additionsprozefi oder (d) ein Divisionsprozefi oder (e) ein Multiplikationsprozeli zwischen den verar- 
beiteten Stordaten Xo und den verarbeiteten und umgewandelten Daten H2 ist. 

8. Einrichtung nach Anspruch 1 , wobei dann, wenn der Eingabedatenprozeli einen Additions/Subtraktionsprozeli in 
einer Modularrechnung enthait, der Datenumwandlungsprozeli mit einer Addition/Subtraktion einer Zahl arbeitet, 
die einen Modulus N mit einer beliebigen ganzen Zahl multipliziert. 

9. Einrichtung nach Anspruch 1 , wobei dann, wenn der Eingabedatenprozeli einen Multiplikationsprozeli in einer 
Modularrechnung enthSIt und die Zahlen X und Y die Bedingung 1 = X * Y mod N erfullen, 

(a) X in der Modularrechnung des Datenumwandlungsprozesses mit einer ganzen Zahl und 

Y mit einer ganzen Zahl multipliziert wird, sooft die Daten umwandelnde Verarbeitungseinrichtung mit X mul- 
tipliziert, oder 

(b) (N+1 )/2 in der Modularrechnung des Datenumwandlungsprozesses mit einer ganzen Zahl multipliziert wird, 
wobei N als Modulus der Modularrechnung benutzt wird und 

2 mit einer ganzen Zahl multipliziert wird, sooft die Daten umwandelnde Verarbeitungseinrichtung in dem 
Datenruckwandlungsprozefi mit (N+1J/2 multipliziert, oder 

(c) 2 in der Modularrechnung des Daten umwandelnden Prozesses mit einer 
ganzen Zahl multipliziert wird und 

(N+1)/2 mit einer ganzen Zahl multipliziert wird, sooft die Daten umwandelnde Verarbeitungseinrichtung in 
dem Datenruckwandlungsprozefi mit 2 multipliziert, wobei N als Modulus der Modularrechnung benutzt wird. 

10. Einrichtung nach Anspruch 1 , wobei der Datenumwandlungsprozeli Positionen von Arraydaten regelmafiig Sndert 
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und der DatenruckwandlungsprozeG auf die durch den DatenumwandiungsprozeR geanderten Arraydaten zu- 
greift. 

11. Einrichtung nach Anspruch 10, wobei die Positionen der Arraydaten durch ein logisches Exklusiv-ODERzwischen 
s einem Index (Argument) der Arraydaten und einer bestimmten Zahl regelma&ig geSndert werden, ein logisches 

Exklusiv-ODER zwischen dem Index der Arraydaten und der von dem DatenumwandlungsprozefJ benutzten Zahl 
als Index des umgewandelten Datenarrays verwendet wird, und der Datenruckwandlungsprozeli entsprechend 
dem umgewandelten Index auf die Arraydaten zugreift. 

10 12. Einrichtung nach Anspruch 1, wobei der Operationsprozed OP1 (a) ein datentauschender PermutationsprozeH 
auf der Basis einer 1-Bit-Einheit Oder (b) ein datentauschender SubstitutionsprozelJ auf der Basis einer 1-Bit- 
Einheit oder (c) ein Datentauschprozeli unter Verwendung einer Tabelle ist, und wobei der Datenumwandlungs- 
prozeli und der DatenruckwandlungsprozeG ein logischer Exklusiv-ODER-ProzefA an den Daten ist. 

is 13. informationsverarbeitungseinrichtung mit einer Verarbeitungseinheit zum Verarbeiten von Eingabedaten entspre- 
chend einem Computerprogramm und zur Ausgabe der verarbeiteten Daten, gekennzeichnet durch 

eine Einrichtung (709) zum Umwandeln von Eingabedaten D1 unter Verwendung von Stordaten Xi zur Er- 
zeugung umgewandelter Daten H1 , ohne AusfQhrung eines vorgegebenen Operationsprozesses OP1 an den Ein- 
gabedaten D1 zur Erzeugung verarbeiteter Daten D2, 

20 eine Einrichtung (712) zum Ausfuhren des Operationsprozesses OP1 oder eines von diesem verschiedenen 

weiteren Operationsprozesses OP1' an den umgewandelten Daten H1 zur Erzeugung verarbeiteter und umge- 
wandelter Daten H2, 

eine Einrichtung (701) zum Ausfuhren entweder des Operationsprozesses OP1 oder des weiteren Operati- 
onsprozesses OPV an den Stordaten Xi zur Erzeugung verarbeiteter Stordaten Xo und 
25 eine Einrichtung (713) zum Ausfuhren eines Datenruckwandlungsprozesses OP2 an den verarbeiteten und 

umgewandelten Daten H2 unter Verwendung der verarbeiteten Stordaten Xo zur Erzeugung der verarbeiteten 
Daten D2 als Resultat des Operationsprozesses OP1 an den Eingabedaten D1. 



so Revendications 

1. Equipement de traitement d'informations comportant : 

une memoire de stockage incluant une unite de memorisation de programme et une unite de memorisation 

35 de donnees, 

une unite centrale de traitement pour executer un traitement de donnees conformement au programme, le 
programme incluant un ou plusieurs moyens de traitement de donnees, chacun etant une instruction de trai- 
tement destinee a donner une instruction d'execution a ladite unite centrale de traitement, et 
des moyens de traitement de donnees d'entree dans lesquels un moyen de traitement de donnees traite des 

40 donnees d'entree et delivre en sortie des donnees traitees, 

caracterise par 

des moyens de traitement de transformation de donnees (406) pour transformer des donnees d'entree D1 
en utilisant des donnees de perturbation Xi en vue de generer des donnees transformees H1, 

45 des moyens de traitement de donnees transformees (408) pour executer un traitement d'operation OP1 pour 

les donnees transformees H1 a la place du traitement d'operation OP1 pour les donnees d'entree D1 a executer 
par lesdits moyens de traitement de donnees d'entree, en vue de generer des donnees traitees et transformees H2. 

des moyens de traitement de donnees de perturbation (403) pour executer un traitement d'operation OP1 
pour les donnees de perturbation Xi en vue de generer des donnees de perturbation traitees Xo, et 

50 des moyens de traitement de non-transformation de donnees (410) pour executer un traitement d'operation 

OP2 pour les donnees traitees et transformees H2 en utilisant les donnees de perturbation traitees Xo, en vue de 
generer des donnees traitees D2 qui sont un resultat du traitement d'operation OP1 des donnees d'entree D1. 

2. Equipement de traitement d'informations comportant : 

55 

une memoire de stockage incluant une unite de memorisation de programme et une unite de memorisation 
de donnees, et 

une unite centrale de traitement pour executer un traitement de donnees conformement au programme, le 
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programme incluant un ou plusieurs moyens de traitement de donnees, 
caracterise par 

des moyens (506) pour executer un traitement d'operation predetermine OP1 pour des premieres donnees 
d'entree D1 en utilisant des premieres donnees de perturbation X1i pour generer des donnees transformees H1 
des premieres donnees d'entree D1, sans executer le traitement d'operation OP1 pour les premieres donnees 
d'entree D1 pour generer des premieres donnees traitees D2, 

des moyens (508) pour executer le traitement d'operation OP1 ou un autre traitement d'operation OP1' dif- 
ferent du traitement d'operation OP1 relatif aux donnees transformees H1 en vue de generer des donnees traitees 
et transformees H2, 

des moyens (503) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OPT pour 
les premieres donnees de perturbation X1 i en vue de generer des premieres donnees de perturbation traitees X1o, 

des moyens (510) pour generer des donnees traitees et transformees H3 en transformant les donnees trai- 
tees et transformees H2 en utilisant des secondes donnees de perturbation X2i, 

des moyens (512) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OP1" pour 
les donnees traitees et transformees H3 en vue de generer des donnees traitees et transformees H4, 

des moyens (518) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OP1' pour 
les secondes donnees de perturbation X2i en vue de generer des secondes donnees de perturbation traitees X2o, 

des moyens (520) pour traiter les donnees traitees et transformees H4 en utilisant les secondes donnees 
de perturbation traitees X2o en vue de generer des donnees traitees et transformees H5, et 

des moyens (514) pour traiter les donnees traitees et transformees H5 en utilisant les premieres donnees 
de perturbation traitees X1o en vue de generer les premieres donnees traitees D2. 

Equipement de traitement d'informations com porta nt : 

une memoire de stockage incluant une unite de memorisation de programme et une unite de memorisation 
de donnees, et 

une unite centrale de traitement pour executer un traitement de donnees conformement au programme, le 
programme incluant un ou plusieurs moyens de traitement de donnees, 

caracterise par 

des moyens (607) pour executer un traitement d'operation predetermine OP1 pour des premieres donnees 
d'entree D1 en utilisant des premieres donnees de perturbation X1 i en vue de generer des donnees transformees 
H1 des premieres donnees d'entree D1, sans executer le traitement d'operation OP1 pour les premieres donnees 
d'entree D1 pour generer des premieres donnees traitees D3, 

des moyens (610) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OP1' different 
du traitement d'operation OP1 relatif aux donnees transformees H1 en vue de generer des donnees traitees et 
transformees H2, 

des moyens (603) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OP1" pour 
les premieres donnees de perturbation X1 i en vue de generer des premieres donnees de perturbation traitees X1 o, 

des moyens (612) pour generer des donnees traitees et transformees H3 en transformant les donnees trai- 
tees et transformees H2 en utilisant des secondes donnees de perturbation X2i, 

des moyens (605) pour executer un traitement de non-transformation des donnees traitees et transformees 
H3 en utilisant les premieres donnees de perturbation traitees X1o en vue de generer des donnees traitees et 
transformees H4, 

des moyens (614) pour executer un traitement d'operation predetermine OP2 ou un autre traitement d'ope- 
ration OP2' different du traitement d'operation OP2 pour les donnees traitees et transformees H4 en vue de generer 
des donnees traitees et transformees H5, sans executer le traitement d'operation OP2 pour les premieres donnees 
traitees D3 en vue de generer les premieres et secondes donnees traitees D2, 

des moyens (620) pour executer le traitement d'operation OP2 ou I'autre traitement d'operation OP2' pour 
les secondes donnees de perturbation X2i en vue de generer des secondes donnees de perturbation traitees X2o, 
et 

des moyens (616) pour traiter les donnees traitees et transformees H5 en utilisant les secondes donnees 
de perturbation traitees X2o en vue de generer les donnees traitees D2. 

Equipement de traitement d'informations caracterise par 

des moyens (812) pour executer un traitement d'operation predetermine OP1 pour les premieres donnees 
d'entree D1 en utilisant des premieres donnees de perturbation X1i en vue de generer des donnees transformees 
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H1 des premieres donnees d'entree D1 , sans exporter le traitement d'operation OP1 pour les premieres donnees 
d'entree D1 en vue de generer des premieres donnees traitees D3, 

des moyens (814) pour executer le traitement d'operation OP1 ou un autre traitement d'operation OPT dif- 
ferent du traitement d'operation OP1 pour les donnees transformees H1 en vue de generer des donnees traitees 
et transformees H2, 

des moyens (803) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OP1' pour 
les premieres donnees de perturbation X1i en vue de generer des premieres donnees de perturbation traitees X1o, 

des moyens (816) pour generer des donnees traitees et transformees H3 en transformant les donnees trai- 
tees et transformees H2 en utilisant des secondes donnees de perturbation X2i, 

des moyens (818) pour executer un traitement de non-transformation pour les donnees traitees et transfor- 
mees H3 en utilisant les premieres donnees de perturbation traitees X1o en vue de generer des donnees traitees 
et transformees H4, 

des moyens pour executer un traitement d'operation predetermine OP2 ou un autre traitement d'operation 
OP2' different du traitement d'operation OP2 pour les donnees traitees et transformees H4 en vue de generer des 
donnees traitees et transformees H5, sans executer le traitement d'operation OP2 pour les premieres donnees 
traitees D3 en vue de generer les premieres et secondes donnees traitees D2, 

des moyens (807) pour executer le traitement d'operation OP2 ou I'autre traitement d'operation OP2" pour 
les secondes donnees de perturbation X2i en vue de generer des secondes donnees de perturbation traitees X2o, 

des moyens (809) pour generer des donnees de perturbation unifiees Xo en unifiant les premieres et secon- 
des donnees de perturbation traitees X1o et X2o, et 

des moyens (820) pour executer un traitement de non-transformation pour les donnees traitees et transfor- 
mees H4 en utilisant les donnees de perturbation unifiees Xo en vue de generer les donnees traitees D2. 

Equipement selon la revendication 1, comportant en outre 

des moyens (704) pour memoriser les donnees de perturbation traitees Xo, et 

des moyens (713) pourtraiter les donnees traitees et transformees en utilisent les donnees de perturbation 
memorisees et traitees Xo en vue de generer de nouvelles donnees traitees et transformees. 

Equipement selon Tune quelconque des revendications precedentes, dans lequel les donnees de perturbation 
sont generees en utilisant un nombre aleatoire. 

Equipement selon la revendication 1 , dans lequel 

le traitement de transformation de donnees est (a) un traitement OU-exclusif logique, ou (b) une operation 
d'addition, ou (c) une operation de soustraction, ou (d) une operation de multiplication, ou (e) une operation de 
division entre les donnees de perturbation Xi et les donnees d'entree D1, et 

le traitement de non-transformation de donnees est (a) un traitement OU-exclusif logique, ou (b) une ope- 
ration de soustraction, ou (c) une operation d'addition, ou (d) une operation de division, ou (e) une operation de 
multiplication entre les donnees de perturbation traitees Xo et les donnees traitees et transformees H2. 

Equipement selon la revendication 1 , dans lequel, si le traitement de donnees d'entree inclut un traitement d'ad- 
dition/soustraction dans un calcul modulaire, le traitement de transformation de donnees utilise une addition/sous- 
traction d'un nombre multipliant un modulo N par un nombre entier arbitral re. 

Equipement selon la revendication 1, dans lequel, si le traitement de donnees d'entree inclut un traitement de 
multiplication dans un calcul modulaire et des nombres X et Y satisfont 1 = X * Y mod N, 

(a) X est multiplie par un nombre entier dans le calcul modulaire du traitement de transformation de donnees, et 
Y est multiplie par un nombre entier par le nombre de fois que lesdits moyens de traitement de transformation 
de donnees ont multiplie X, ou 

(b) (N+1)/2 est multiplie par un nombre entier dans le calcul modulaire du traitement de transformation de 
donnees, en utilisant N comme un modulo du calcul modulaire, et 

2 est multiplie par un nombre entier par le nombre de fois que lesdits moyens de traitement de transformation 
de donnees ont multiplie (N+1)/2, dans le traitement de non-transformation de donnees, ou 

(c) 2 est multiplie par un nombre entier dans le calcul modulaire du traitement de transformation de donnees, et 
(N+1)/2 est multiplie par un nombre entier par le nombre de fois que lesdits moyens de traitement de trans- 
formation de donnees ont multiplie 2, dans le traitement de transformation de donnees, en utilisant N comme 
un modulo du calcul modulaire. - 
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1 0. Equipement selon la revendication 1 , dans lequel le traitement de transformation de donnees change regulierement 
les positions des donnees de tableau, et le traitement de non-transformation de donnees accede aux donnees de 
tableau changees par le traitement de transformation de donnees. 

1 1 . Equipement selon la revendication 1 0, dans lequel les positions des donnees de tableau sont regulierement chan- 
gees parl'intermediaire d'un OU-exclusif logique entre un indice (argument) des donnees de tableau et un certain 
nombre, un OU-exclusif logique entre I'indice des donnees de tableau et le nombre utilise par le traitement de 
transformation de donnees est utilise en tant qu'indice du tableau de donnees transformees, et le traitement de 
transformation de donnees accede aux donnees de tableau conformement a I'indice transforme. 

1 2. Equipement selon la revendication 1 , dans lequel le traitement d'operation OP1 est (a) un traitement de permutation 
de donnees d'echange sur une base d'unite a un bit, ou (2) un traitement de substitution de donnees d'echange 
sur une base d'unite a un bit, ou (c) un traitement d'echange de donnees en utilisant un tableau, et le traitement 
de transformation de donnees et le traitement de non-transformation de donnees sont un traitement OU-exclusif 
logique des donnees. 

13. Equipement de traitement d'informations, comportant une unite de traitement pour traiter des donnees d'entree 
conformement a un programme informatique et delivrer en sortie les donnees traitees, caracterise par 

des moyens (709) pour transformer des donnees d'entree D1 en utilisant des donnees de perturbation Xi en 
vue de generer des donnees transformees X1, sans executer un traitement d'operation predetermine OP1 pour 
les donnees d'entree D1 en vue de generer les donnees trait fees D2, 

des moyens (712) pour executer le traitement d'operation OP1 ou un autre traitement d'operation OPT dif- 
ferent du traitement d'operation QP1 pour les donnees transformees H1 en vue de generer des donnees traitees 
et transformees H2, 

des moyens, (701) pour executer le traitement d'operation OP1 ou I'autre traitement d'operation OP1' pour 
les donnees de perturbation Xi en vue de generer des donnees de perturbation traitees Xo, et 

des moyens (713) pour executer un traitement de non-transformation de donnees OP2 pour les donnees 
traitees et transformees H2 en utilisant les donnees de perturbation traitees Xo en vue de generer les donnees 
traitees D2 en resultat du traitement d'operation OP1 pour les donnees D1. 
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